24.1.1 Apply Patch if Autocatalog Feature Causes System Instability

A new autocatalog feature is enabled by default in fresh installations of Release 1 (11.1.1.6.0). When this feature is enabled, Oracle Internet Directory automatically invokes the catalog command to index attributes when you search for them. Oracle Internet Directory spawns a new process for each catalog attribute, so adding a large number of catalog attributes to Oracle Internet Directory at once can cause system instability. System resource issues have been observed during the following operations:

As a workaround, apply the patch for MLR Bug 13879999. The patch disables the autocatalog feature.

24.1.2 ODSM Browser Window Becomes Unusable

Under certain circumstances, after you launch ODSM from Fusion Middleware Control, then select a new ODSM task, the browser window might become unusable. For example, the window might refresh repeatedly, appear as a blank page, fail to accept user input, or display a null pointer error.

As a workaround, go to the URL: http://host:port/odsm, where host and port specify the location where ODSM is running, for example, http://myserver.example.com:7005/odsm. You can then use the ODSM window to log in to a server.

Use the flag -v as the last parameter when running the ldapdelete command. For example:

ldapdelete -h hostname -p portname -D cn=orcladmin -w welcome1 -v 's'

24.1.4 Bulkmodify Might Generate Errors

If Oracle Internet Directory is using Oracle Database 11g Release 1 (11.1.0.7.0), you might see ORA-600 errors while performing bulkmodify operations. To correct this problem, apply the fixes for Bug 7019313 and Bug 7614692 to the Oracle Database.

24.1.6 Turkish Dotted I Character is Not Handled Correctly

Due to a bug, Oracle Internet Directory cannot handle the upper-case dotted I character in the Turkish character set correctly. This can cause problems in Oracle Directory Services Manager and in command-line utilities.

24.1.7 OIDCMPREC Might Modify Operational Attributes

By default, the oidcmprec tool excludes operational attributes during comparison.That is, oidcmprec does not compare the operational attributes values in source and destination directory entries. During reconciliation of user defined attributes however, operational attributes might be changed.

24.1.8 OIDREALM Does Not Support Realm Removal

The oidrealm tool supports creation, but not deletion, of a realm. A procedure for deleting a realm is provided in Note 604884.1, which is available on My Oracle Support at https://support.oracle.com/.

If you use Oracle Database 11.2.0.1.0 with Oracle Internet Directory, apply Patch 9952216 (11.2.0.1.3 PSU) to Oracle Database. Purge jobs do not function properly without this patch.

24.1.10 SQL of OPSS ldapsearch Might Take High %CPU

The SQL of an OPSS one level ldapsearch operation, with filter "orcljaznprincipal=value" and required attributes, might take unreasonably high %DB CPU. If this search performance impacts the overall performance of the machine and other processes, you can alleviate the issue by performing the following steps in the Oracle Database:

Log in to the Oracle Database as user ODS and execute the following SQL:

Flush the shared pool by using the ALTER SYSTEM statement, as described in the Oracle Database SQL Language Reference.

24.1.11 If you Start the Replication Server by Using the Command Line, Stop it Using the Command Line

If you start the replication server by using the command line, stop it by using the command line. If you attempt to stop it by using Oracle Enterprise Manager Fusion Middleware Control, the attempt fails.

24.2.1 Re-Create Wallet After Moving Oracle Internet Directory from Test to Production

If you configure Oracle Internet Directory to use SSL in server authentication mode or mutual authentication mode on your test machine, and then move Oracle Internet Directory to a production machine, re-create the Oracle Internet Directory wallet on the production machine.

The old wallet contains the host name of the original machine as the DN in the certificate. This host name in the DN is not changed during the test to production move. Re-create the wallet on the production machine to avoid SSL communication issues.

When you configure Oracle Internet Directory (OID) for privileged ports as mentioned in Section "Configure the First Oracle Internet Directory Instance" of Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management, the config wizard prompts the following when you run oracleRoot.sh:

Do you want to run oidRoot.sh to configure OID for privileged ports? (yes/no)

If you select yes, the script execution fails with the following error:

/u01/app/fmw/idm/oracleRoot.sh: line 47: syntax error: unexpected end of file

To workaround this issue, modify oracleRoot.sh file located in the ORACLE_HOME directory. Modify the following line:

fi# This command path is not already provided in the existing root.sh:

TO

fi
# This command path is not already provided in the existing root.sh:

24.3.1 Bulkdelete Deletes Entries, not Attributes

The section on bulkdelete in the "Performing Bulk Operations" chapter of Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory is entitled "Deleting Entries or Attributes of Entries by Using bulkdelete." This title is misleading. You can only use bulkdelete to delete entire entries or subtrees. The first sentence in that section is also misleading and should be ignored.

24.3.3 Incorrect Bug Numbers in Prerequisites for Rolling Upgrade

The bug fix numbers listed in the Prerequisites section of the "Performing Rolling Upgrades" appendix to Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory are incorrect. They should be as follows:

If you have Oracle Internet Directory Version 11.1.1.2.0, apply the fix for bug number 10431688 on each Middleware Oracle home.

If you have Oracle Internet Directory Version 11.1.1.3.0, apply the fix for bug number 10431664 on each Middleware Oracle home.

24.3.4 Default orclcryptoscheme Value is SSHA

In Oracle Internet Directory 11g (11.1.1.3) and (11.1.1.4), the default value of orclcryptoscheme is SSHA. The documentation is incorrect in the following places:

24.3.6 ODSM Schema Tab is Available to Non-Super User

Section 7.4.1.2, "Non-Super User Access to Oracle Directory Services Manager," in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory, states that if you log in as a user other than the super user, you can access only the Home and Data Browser tabs. Actually, you can access the Schema tab as well.

You must update the registration of an Oracle Internet Directory component in a registered Oracle instance by running opmnctlupdatecomponentregistration whenever you change any of the following instance parameters:

"Attributes of the Instance-Specific Configuration Entry" in Chapter 9

orclnonsslport

"Attributes of the Instance-Specific Configuration Entry" in Chapter 9

orclsslport

"Attributes of the Instance-Specific Configuration Entry" in Chapter 9

userpassword

"Changing the Password for the EMD Administrator Account" in Chapter 12

In versions of Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory released in January, 2011 or earlier, there are several statements to the effect that you do not need to run opmnctlupdatecomponentregistration if you use Oracle Enterprise Manager Fusion Middleware Control or WLST to change the parameter. This is not true. You must always run the command after changing any of these parameters. The syntax is:

"Updating the Component Registration of an Oracle Instance by Using opmnctl" in the "Managing Oracle Internet Directory Instances" chapter of Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

"Updating the Component Registration of an Oracle Instance by Using opmnctl" in the "Managing Oracle Internet Directory Instances" chapter of Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

24.3.10 Incorrect LDIF File for Enabling Referential Integrity

In versions of Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory prior to January 2011, the LDIF file shown in the "Enabling Referential Integrity by Using the Command Line" section in the "Configuring Referential Integrity" is incorrect. The file should look like this:

24.3.11 Errors in remtool -pthput Sections

In the "Syntax for remtool," "Arguments to remtool," and "Syntax for remtool -pthput" sections of the remtool reference in Chapter 4 of Oracle Fusion Middleware Reference for Oracle Identity Management, the -interval time_in_seconds option should be enclosed in brackets ([]) because it is optional.

The sample output in the section "Listing DRG Information at Intervals" is missing the line:

24.3.13 List of bulkmodify Limitations is Incomplete

Section 15.4, "Modifying Attributes of a Large Number of Entries By Using bulkmodify," in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory and Section 3.3, "bulkmodify," in Oracle Fusion Middleware Reference for Oracle Identity Management both contain incomplete lists of bulkmodify limitations. The limitations are as follows:

The bulkmodify tool does not allow add or replace operations on the following attributes:

dn (use ldapmoddn instead)

cn (use ldapmodify instead)

userpassword (use ldapmodify instead)

orclpassword (use ldapmodify instead)

orclentrylevelaci (use ldapmodify instead)

orclaci (use ldapmodify instead)

orclcertificatehash

orclcertificatematch

any binary attribute

any operational attribute

It does not allow replace operation on the attribute objectclass.

It does not allow add for single-valued attributes.

24.3.14 orclpwdmaxinactivity Attribute Should be orclpwdmaxinactivitytime

Both Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory and Oracle Fusion Middleware Reference for Oracle Identity Management refer to the attribute orclpwdmaxinactivity. The actual name of the attribute is orclpwdmaxinactivitytime

24.3.15 Replication Instructions in Tutorial for Identity Management are Incomplete

In the Tutorial for Identity Management, which is linked from Getting Started with Oracle Identity Management, Chapter 3, "Setting up Oracle Internet Directory Replication," is missing important information. Specifically, the instructions do not work unless the new consumer node is empty. For more information, see Section 39.1.7, "Rules for Configuring LDAP-Based Replication," in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

24.3.16 Documentation of -P and -Q Options to LDAP Commands is Incomplete

Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory and Oracle Fusion Middleware Repository Creation Utility User's Guide both document the the -P and -Q options to ldapbind and other LDAP commands. The -P option requires you to specify a wallet password on the command line. The -Q option enables you to provide a password in response to a prompt., which is more secure than typing it on the command line.

Neither document explains how to use these options when there is no password. This is significant because Oracle Internet Directory relies on AutoLogin wallets for SSL configuration, and AutoLogin wallets have no passwords.

When there is no wallet password, specify the password on the command line as a null string, using quote characters, that is:

-P ""

If you are using -Q, when prompted for the password, hit Enter.

24.3.17 New Configuration Attribute orclcompatibleversion is Missing from Documentation

Neither Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory nor Oracle Fusion Middleware Repository Creation Utility User's Guide mentions orclcompatibleversion, a new multivalued attribute of the DSE. Beginning with version 11.1.1.6, orclcompatibleversion contains the Oracle Internet Directory version. Do not modify this attribute. It must be present for Oracle Internet Directory 11.1.1.6 to work with the 11.1.1.6 schema.

The older attribute orcldirectoryversion still exists, but is no longer updated to indicate the Oracle Internet Directory version.

24.3.18 Managing Auditing Chapter Should Have More References to the Security Guide

The Managing Auditing chapter in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory refers briefly to the Auditing content in the Oracle Fusion Middleware Application Security Guide. It should also point out that there are Oracle Internet Directory examples in the "Configuring and Managing Auditing" chapter of Oracle Fusion Middleware Application Security Guide.

24.3.19 Fusion Middleware Control and WLST Now Connect to Server Using an SSL Port

In several places, Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory states that WLST and Oracle Enterprise Manager Fusion Middleware Control can only connect to the server using SASL over a non-SSL connection. This is no longer correct. Now WLST and Fusion Middleware Control connect to the server using an SSL port. Therefore, you must now set orclsslenable to 1 or 2 in order for WLST or Oracle Enterprise Manager Fusion Middleware Control to connect.

Install Oracle Internet Directory on the remote master sites in the same way as on the master site. For more details about Oracle Internet Directory installation, see Oracle Fusion Middleware Installation Guide for Oracle Identity Management.

Step 3 of Section C.2.2.3.2, "From the MDS, Configure Advanced Replication For Directory Replication," refers to a note about prerequisites. The note does not exist. The prerequisites for this step are:

Before you begin, stop all Oracle Internet Directory server processes on the MDS and RMS sites. After the setup operation is completed, you can restart all Oracle Internet Directory processes and replication server processes.

Step 3 of Section C.2.2.3.2, "From the MDS, Configure Advanced Replication For Directory Replication," does not mention that if an Advanced Replication node already exists on the Remote Master Site, that node's data entries are removed when you run remtool -asrsetup.

Section C.2.2.7, "Task 7: Test Directory Replication," is missing a reference to the section of the book that describes how to test replication. It should refer to Section 39.4, "Testing Replication Using Oracle Directory Services Manager."

Scripting on this page enhances content navigation, but does not change the content in any way.